Implement the IATReferenceScan and IATSearcher.

Anti-Rootkit.sln

@@ -29,6 +29,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libMinHook", "minhook\build
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Test", "Test\Test.vcxproj", "{F967758B-AE4A-44F6-AC12-7F63A9CE23E3}"
 EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "diStorm3", "diStorm3\diStorm3.vcxproj", "{BF8907F1-25D4-4F6F-AB03-7FF29FF56588}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|ARM = Debug|ARM
@@ -236,6 +238,18 @@ Global
 		{F967758B-AE4A-44F6-AC12-7F63A9CE23E3}.Release|x86.ActiveCfg = Release|Win32
 		{F967758B-AE4A-44F6-AC12-7F63A9CE23E3}.Release|x86.Build.0 = Release|Win32
 		{F967758B-AE4A-44F6-AC12-7F63A9CE23E3}.Release|x86.Deploy.0 = Release|Win32
+		{BF8907F1-25D4-4F6F-AB03-7FF29FF56588}.Debug|ARM.ActiveCfg = Debug|Win32
+		{BF8907F1-25D4-4F6F-AB03-7FF29FF56588}.Debug|ARM64.ActiveCfg = Debug|Win32
+		{BF8907F1-25D4-4F6F-AB03-7FF29FF56588}.Debug|x64.ActiveCfg = Debug|x64
+		{BF8907F1-25D4-4F6F-AB03-7FF29FF56588}.Debug|x64.Build.0 = Debug|x64
+		{BF8907F1-25D4-4F6F-AB03-7FF29FF56588}.Debug|x86.ActiveCfg = Debug|Win32
+		{BF8907F1-25D4-4F6F-AB03-7FF29FF56588}.Debug|x86.Build.0 = Debug|Win32
+		{BF8907F1-25D4-4F6F-AB03-7FF29FF56588}.Release|ARM.ActiveCfg = Release|Win32
+		{BF8907F1-25D4-4F6F-AB03-7FF29FF56588}.Release|ARM64.ActiveCfg = Release|Win32
+		{BF8907F1-25D4-4F6F-AB03-7FF29FF56588}.Release|x64.ActiveCfg = Release|x64
+		{BF8907F1-25D4-4F6F-AB03-7FF29FF56588}.Release|x64.Build.0 = Release|x64
+		{BF8907F1-25D4-4F6F-AB03-7FF29FF56588}.Release|x86.ActiveCfg = Release|Win32
+		{BF8907F1-25D4-4F6F-AB03-7FF29FF56588}.Release|x86.Build.0 = Release|Win32
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

PEParser/PEParser.cpp

@@ -9,15 +9,16 @@
 
 
 PEParser::PEParser(const wchar_t* path) :_path(path) {
-	_hFile = ::CreateFile(path, GENERIC_READ, FILE_SHARE_READ, nullptr, OPEN_EXISTING, 0, nullptr);
+	_hFile = ::CreateFile(path, GENERIC_READ | GENERIC_WRITE,
+		FILE_SHARE_READ | FILE_SHARE_WRITE, nullptr, OPEN_EXISTING, 0, nullptr);
 	if (_hFile == INVALID_HANDLE_VALUE)
 		return;
 	::GetFileSizeEx(_hFile, &_fileSize);
-	_hMemMap = ::CreateFileMapping(_hFile, nullptr, PAGE_READONLY, 0, 0, nullptr);
+	_hMemMap = ::CreateFileMapping(_hFile, nullptr, PAGE_READWRITE, 0, 0, nullptr);
 	if (!_hMemMap)
 		return;
 
-	_address = (PBYTE)::MapViewOfFile(_hMemMap, FILE_MAP_READ, 0, 0, 0);
+	_address = (PBYTE)::MapViewOfFile(_hMemMap, FILE_MAP_ALL_ACCESS, 0, 0, 0);
 	if (!_address)
 		return;
 
@@ -306,6 +307,26 @@ unsigned PEParser::RvaToFileOffset(unsigned rva) const {
 	return rva;
 }
 
+DWORD_PTR PEParser::RVAToRelativeOffset(DWORD_PTR rva) const {
+	auto sections = _sections;
+	for (int i = 0; i < GetSectionCount(); ++i) {
+		if (rva >= sections[i].VirtualAddress && rva < sections[i].VirtualAddress + _sections[i].Misc.VirtualSize)
+			return rva - sections[i].VirtualAddress;
+	}
+
+	return 0;
+}
+
+int PEParser::RVAToSectionIndex(DWORD_PTR rva) const {
+	auto sections = _sections;
+	for (int i = 0; i < GetSectionCount(); ++i) {
+		if (rva >= sections[i].VirtualAddress && rva < sections[i].VirtualAddress + _sections[i].Misc.VirtualSize)
+			return i;
+	}
+
+	return -1;
+}
+
 bool PEParser::GetImportAddressTable() const {
 	auto dir = GetDataDirectory(IMAGE_DIRECTORY_ENTRY_IAT);
 	if (dir->Size == 0)
@@ -471,4 +492,8 @@ void PEParser::RelocateImageByDelta(std::vector<RelocInfo>& relocs, const uint64
 				*reinterpret_cast<uint64_t*>(current_reloc.address + offset) += delta;
 		}
 	}
+}
+
+PVOID PEParser::GetDataDirectoryAddress(UINT index, PULONG size) const {
+	return ::ImageDirectoryEntryToData(_address, FALSE, index, size);
 }

PEParser/PEParser.h

@@ -213,13 +213,15 @@ class PEParser final {
 	//std::vector<std::pair<DWORD, WIN_CERTIFICATE>> EnumCertificates() const;
 	//const IMAGE_LOAD_CONFIG_DIRECTORY64* GetLoadConfiguration64() const;
 	//const IMAGE_LOAD_CONFIG_DIRECTORY32* GetLoadConfiguration32() const;
-	//PVOID GetDataDirectoryAddress(UINT index, PULONG size) const;
+	PVOID GetDataDirectoryAddress(UINT index, PULONG size) const;
 
 	bool IsImportLib() const;
 	bool IsObjectFile() const;
 	ULONG GetExportByName(PCSTR exportName);
 	HANDLE GetFileHandle();
 	unsigned RvaToFileOffset(unsigned rva) const;
+	DWORD_PTR RVAToRelativeOffset(DWORD_PTR rva) const;
+	int RVAToSectionIndex(DWORD_PTR rva) const;
 	IMAGE_SECTION_HEADER* GetSections();
 
 	LARGE_INTEGER GetFileSize() const;